[openstack-dev] [keystone][monasca][congress][senlin][telemetry] authenticated webhook notifications

Eric K ekcs.openstack at gmail.com
Tue May 8 21:13:48 UTC 2018

Thank you, Zane for the discussion.

Point taken about sending webhook notifications.

Primarily I want Congress to consume webhook notifications from the
openstack services which already send them (monasca, vitrage, etc.). Most
of them do not currently support sending appropriate keystone tokens with
the notifications, but some are open to doing it.

The aodh and zaqar references are exactly what I was hoping to find. I
couldn't find a reference to it in aodh docs or much on google, so many
thanks for the pointer!


On 5/8/18, 1:20 PM, "Zane Bitter" <zbitter at redhat.com> wrote:
>If the caller is something that is basically trusted, then you should
>prefer regular keystone auth. If you need to make sure that the caller
>can only use that one API, signed URLs are still the only game in town
>for now (but we hope this is very temporary).
>> I know some people are working on adding the keystone auth option to
>> Monasca's webhook framework. If there is a project that already does it,
>> it could be a very helpful reference.
>There's a sort of convention that where you supply a webhook URL with a
>scheme trust+https:// then the service creates a keystone trust and uses
>that to get keystone tokens which are then used to authenticate the
>webhook request. Aodh and Zaqar at least follow this convention. The
>trust part is an important point that you're overlooking: (from your
>other message)

More information about the OpenStack-dev mailing list